Commit graph

114 commits

Author SHA1 Message Date
Swissky
32d9f7550d XPATH + XSS + XXE + XSLT 2024-11-30 21:14:51 +01:00
Swissky
f333d48960 Fix invalid spaces indents 2024-11-13 14:08:26 +01:00
Swissky
0a5ecc407c Normalize page header for Web Socket, XSLT, XSS, XXE 2024-11-10 21:15:44 +01:00
Swissky
4f0e6334bd References updated for XSS + page splitted in subcategories 2024-11-08 18:23:43 +01:00
Swissky
37641d2b9e References updated for XPATH, XSLT, XXE, Web Socket 2024-11-07 23:50:30 +01:00
Swissky
6e77f624f2
Merge pull request #728 from isacaya/add_xss_bypass
Add a few XSS filter bypass cases
2024-11-02 15:16:46 +01:00
Swissky
9866fef5b4 Bypass CSP, technique from #715 2024-11-02 12:26:45 +01:00
Swissky
eb4795047b
Merge pull request #746 from TRKBKR/master
Added oncontentvisibilityautostatechange to XSS in hidden input
2024-11-02 11:44:08 +01:00
Swissky
e3877d1979
Merge pull request #739 from FatEarthler/master
added 'xss_alert_identifiable.txt'
2024-11-02 11:38:30 +01:00
Swissky
acb509d436 SVG XSS fix typo from #729 + files 2024-11-02 11:27:26 +01:00
Swissky
53ba2932ab
Merge pull request #729 from noraj/patch-1
XSS in SVG: more examples + nesting
2024-11-02 11:21:27 +01:00
ⵟⴰⵕⵉⴽ ⴱⴰⴽⵉⵕ
faeee7270a
Update README.md
addedd contentvisibilityautostatechange_event for hidden input
2024-10-13 23:23:07 +01:00
FatEarthler
975dde665a
added 'xss_alert_identifiable.txt'
same as 'xss_alert.txt', but with identifiable payloads (e.g. alert(1992) instead of just alert(1)). This is useful in case of stored xss, when you inject all the payloads and then need to identify which payloads were successful.
2024-09-14 22:14:45 +02:00
Swissky
3eae8d7458 Fix typo and structure 2024-09-11 17:07:51 +02:00
Swissky
1dae291696 IIS MachineKeys + CI/CD + CSPT + ORM leak 2024-08-26 11:27:47 +02:00
Alexandre ZANNI
8e05a2dd2a
XSS in SVG: more examples + nesting 2024-06-19 14:54:19 +02:00
isacaya
ca3ab6eb95 Add a few XSS filter bypass cases 2024-06-19 04:21:24 +09:00
Swissky
314e4da963 SSRF DNS AXFR + LFI PHAR payloads + LFI iconv 2024-06-16 21:17:42 +02:00
masquerad3r
eca067dd7e
Create port_swigger_xss_cheatsheet_event_handlers.txt
Updated list of event handlers taken from https://portswigger.net/web-security/cross-site-scripting/cheat-sheet#event-handlers.

Useful when the context of reflection is an HTML attribute and one quickly wants to check which attributes are reflected unfiltered by the target application.
2024-06-06 10:46:13 +02:00
Swissky
c34a2bac15 WAF bypass moved to a separate page 2024-06-03 09:55:29 +02:00
Swissky
2e73069238 XSS Tel URI 2024-06-03 09:37:24 +02:00
dave
fcf69f8226 Add additional XSS payload in email addresses RFC5322 2024-05-31 13:27:32 +02:00
Swissky
67adf75bc2 CSP updates + Indirect Prompt Injection 2024-05-29 15:32:58 +02:00
Vunnm
27d19813f8
specify condition to perform Angular JS Injection
Indicate that ng-app in a root element is needed to inject Angular JS template. Injecting below payload without a root element with ng-app will not result in a successful injection
2023-12-28 13:30:49 +01:00
Thomas Emerson Glucklich
49bc19e992
Update README.md 2023-11-01 11:32:31 -04:00
Swissky
b8c803717a WDAC Policy Removal + SSRF domains 2023-05-31 14:18:25 +02:00
Swissky
14cc88371d WSL + RDP Passwords + MSPaint Escape 2023-02-11 17:49:55 +01:00
Swissky
514ac98dac SSRF + XSS details + XXE BOM 2022-12-13 22:29:20 +01:00
Swissky
3e9ef2efbe ADFS Golden SAML 2022-11-07 10:10:21 +01:00
Swissky
2227472e1c .NET formatters and POP gadgets 2022-11-03 21:31:50 +01:00
Fabian S. Varon Valencia
8136e462c2 remove old link, I can't find a replacement url 2022-10-26 20:36:52 -05:00
Fabian S. Varon Valencia
3822c27634 update old url's 2022-10-26 20:36:15 -05:00
Cory Cline
a8d8434756
Shortened payload
Make payload shorter.
2022-10-13 19:48:20 -05:00
Cory Cline
fbed4254e5
Fixed an oops
Somehow I deleted line 120 in a prior commit. Fixed.
2022-10-13 18:52:07 -05:00
Cory Cline
9ee8f092cd
Changed link for document.cookie blacklist
Link was not working due to use of period in title.
2022-10-13 18:46:52 -05:00
Cory Cline
9a42be1113
Replaced console.log with alert
It's more common to want alert screenshots vs console screenshots.
2022-10-13 18:45:55 -05:00
Cory Cline
f23f28c4e2
Shortened payload
Shortened the document.cookie blacklist bypass payload.
2022-10-13 18:43:54 -05:00
Cory Cline
5d561ea7d6
Added document.cookie blacklist bypass
Added an alternative to document.cookie for situations when this text is blacklisted.
2022-10-13 18:23:36 -05:00
clem9669
2aa353a5b9
Update XSS_Polyglots.txt
Adding the latest BruteLogic polyglot
2022-10-05 09:45:15 +00:00
Deep Dhakate
a670a26eea Update 2022-10-02 06:13:01 +00:00
clem9669
88134256c8
Adding brutelogic polyglot
Adding brutelogic polyglot from blog post.
2022-09-13 11:58:10 +00:00
Swissky
d24e3f2d61
Merge pull request #497 from kz-cyber/xss/angular-xss-2
[update] Angular XSS payload
2022-09-07 00:34:29 +02:00
its0x08
31b213227e fix: Fix more spelling 2022-08-09 11:05:40 +02:00
its0x08
fc1f3b25a7 fix: Fix spelling 2022-08-09 11:02:21 +02:00
khiemtq-cyber
507c493db2 Update Angular XSS 2022-05-07 12:55:15 +07:00
idealphase
6738f878f3
Updated README.md
Added References: Bypassing Signature-Based XSS Filters: Modifying Script Code
2022-04-19 10:45:32 +07:00
idealphase
de532030df
Merge branch 'swisskyrepo:master' into master 2022-04-19 10:43:04 +07:00
Swissky
85a50869f2
Merge pull request #482 from khiemtq-cyber/xss/angular-xss-1
[update] Angular XSS payload
2022-04-18 21:01:44 +02:00
Ooggle
39d1c6e7d8
Add document blacklist bypass 2022-04-09 12:55:21 +02:00
ktq-cyber
5d898e004f [update] Angular XSS payload 2022-02-23 22:26:16 +07:00